Add client ssl tests for MariaDB and MySQL

Author: ThibsG

sqlx-core/src/mysql/options/parse.rs

@@ -43,11 +43,11 @@ impl FromStr for MySqlConnectOptions {
 
         for (key, value) in url.query_pairs().into_iter() {
             match &*key {
-                "ssl-mode" => {
+                "sslmode" | "ssl-mode" => {
                     options = options.ssl_mode(value.parse().map_err(Error::config)?);
                 }
 
-                "ssl-ca" => {
+                "sslca" | "ssl-ca" => {
                     options = options.ssl_ca(&*value);
                 }
 
@@ -59,9 +59,9 @@ impl FromStr for MySqlConnectOptions {
                     options = options.collation(&*value);
                 }
 
-                "sslcert" => options = options.ssl_client_cert(&*value),
+                "sslcert" | "ssl-cert" => options = options.ssl_client_cert(&*value),
 
-                "sslkey" => options = options.ssl_client_key(&*value),
+                "sslkey" | "ssl-key" => options = options.ssl_client_key(&*value),
 
                 "statement-cache-capacity" => {
                     options =

tests/.dockerignore

@@ -1,6 +1,7 @@
 *
 !certs/*
 !keys/*
+!mysql/my.cnf
 !mssql/*.sh
 !postgres/pg_hba.conf
 !*/*.sql

tests/docker-compose.yml

@@ -19,6 +19,21 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mysql_8_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mysql:8.0.27
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MYSQL_ROOT_HOST: '%'
+            MYSQL_DATABASE: sqlx
+            MYSQL_ALLOW_EMPTY_PASSWORD: 1
+
     mysql_5_7:
         image: mysql:5.7
         volumes:
@@ -30,6 +45,21 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mysql_5_7_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mysql:5.7
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MYSQL_ROOT_HOST: '%'
+            MYSQL_DATABASE: sqlx
+            MYSQL_ALLOW_EMPTY_PASSWORD: 1
+
     mysql_5_6:
         image: mysql:5.6
         volumes:
@@ -41,6 +71,21 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mysql_5_6_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mysql:5.6
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MYSQL_ROOT_HOST: '%'
+            MYSQL_DATABASE: sqlx
+            MYSQL_ALLOW_EMPTY_PASSWORD: 1
+
     #
     # MariaDB 10.6, 10.5, 10.4, 10.3, 10.2
     # https://mariadb.org/about/#maintenance-policy
@@ -56,6 +101,20 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mariadb_10_6_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mariadb:10.6
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MARIADB_DATABASE: sqlx
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
     mariadb_10_5:
         image: mariadb:10.5
         volumes:
@@ -66,6 +125,20 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mariadb_10_5_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mariadb:10.5
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MARIADB_DATABASE: sqlx
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
     mariadb_10_4:
         image: mariadb:10.4
         volumes:
@@ -76,6 +149,20 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mariadb_10_4_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mariadb:10.4
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MARIADB_DATABASE: sqlx
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
     mariadb_10_3:
         image: mariadb:10.3
         volumes:
@@ -86,6 +173,20 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mariadb_10_3_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mariadb:10.3
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MARIADB_DATABASE: sqlx
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
     mariadb_10_2:
         image: mariadb:10.2
         volumes:
@@ -96,6 +197,20 @@ services:
             MYSQL_ROOT_PASSWORD: password
             MYSQL_DATABASE: sqlx
 
+    mariadb_10_2_client_ssl:
+        build:
+            context: .
+            dockerfile: mysql/Dockerfile
+            args:
+                IMAGE: mariadb:10.2
+        volumes:
+            - "./mysql/setup.sql:/docker-entrypoint-initdb.d/setup.sql"
+        ports:
+            - 3306
+        environment:
+            MARIADB_DATABASE: sqlx
+            MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
     #
     # PostgreSQL 14.x, 13.x, 12.x, 11.x 10.x, 9.6.x
     # https://www.postgresql.org/support/versioning/

tests/docker.py

@@ -56,15 +56,29 @@ def start_database(driver, database, cwd):
 
     port = int(res.stdout[1:-2].decode())
 
+    # need additional permissions to connect to MySQL when using SSL
+    res = subprocess.run(
+        ["docker", "exec", f"sqlx_{driver}_1", "mysql", "-u", "root", "-e", "GRANT ALL PRIVILEGES ON *.* TO 'root' WITH GRANT OPTION;"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        cwd=dir_tests,
+    )
+
+    if res.returncode != 0:
+        print(res.stderr, file=sys.stderr)
+
+    # do not set password in URL if authenticating using SSL key file
+    if driver.endswith("client_ssl"):
+        password = ""
+    else:
+        password = ":password"
+
     # construct appropriate database URL
     if driver.startswith("mysql") or driver.startswith("mariadb"):
-        return f"mysql://root:password@127.0.0.1:{port}/{database}"
+        return f"mysql://root{password}@localhost:{port}/{database}"
 
     elif driver.startswith("postgres"):
-        if driver.endswith("client_ssl"):
-            return f"postgres://postgres@localhost:{port}/{database}"
-        else:
-            return f"postgres://postgres:password@localhost:{port}/{database}"
+        return f"postgres://postgres{password}@localhost:{port}/{database}"
 
     elif driver.startswith("mssql"):
         return f"mssql://sa:[email protected]:{port}/{database}"

tests/mysql/Dockerfile

@@ -0,0 +1,15 @@
+ARG IMAGE
+FROM ${IMAGE}
+
+# Copy SSL certificate (and key)
+COPY certs/server.crt /etc/mysql/ssl/server.crt
+COPY certs/ca.crt /etc/mysql/ssl/ca.crt
+COPY keys/server.key /etc/mysql/ssl/server.key
+COPY mysql/my.cnf /etc/mysql/my.cnf
+
+# Fix permissions
+RUN chown mysql:mysql /etc/mysql/ssl/server.crt /etc/mysql/ssl/server.key
+RUN chmod 0600 /etc/mysql/ssl/server.crt /etc/mysql/ssl/server.key
+
+# Create dir for secure-file-priv
+RUN mkdir -p /var/lib/mysql-files

tests/mysql/my.cnf

@@ -0,0 +1,4 @@
+[mysqld]
+ssl-ca=/etc/mysql/ssl/ca.crt
+ssl-cert=/etc/mysql/ssl/server.crt
+ssl-key=/etc/mysql/ssl/server.key

tests/x.py

@@ -138,16 +138,6 @@ def run(command, comment=None, env=None, service=None, tag=None, args=None, data
                 tag=f"postgres_{version}" if runtime == "async-std" else f"postgres_{version}_{runtime}",
             )
 
-        ## +ssl
-        for version in ["14", "13", "12", "11", "10", "9_6"]:
-            run(
-                f"cargo test --no-default-features --features macros,offline,any,all-types,postgres,runtime-{runtime}-{tls}",
-                comment=f"test postgres {version} ssl",
-                database_url_args="sslmode=verify-ca&sslrootcert=.%2Ftests%2Fcerts%2Fca.crt",
-                service=f"postgres_{version}",
-                tag=f"postgres_{version}_ssl" if runtime == "async-std" else f"postgres_{version}_ssl_{runtime}",
-            )
-
         ## +client-ssl
         for version in ["14_client_ssl", "13_client_ssl", "12_client_ssl", "11_client_ssl", "10_client_ssl", "9_6_client_ssl"]:
             run(
@@ -170,6 +160,16 @@ def run(command, comment=None, env=None, service=None, tag=None, args=None, data
                 tag=f"mysql_{version}" if runtime == "async-std" else f"mysql_{version}_{runtime}",
             )
 
+        ## +client-ssl
+        for version in ["8_client_ssl", "5_7_client_ssl", "5_6_client_ssl"]:
+            run(
+                f"cargo test --no-default-features --features macros,offline,any,all-types,mysql,runtime-{runtime}-{tls}",
+                comment=f"test mysql {version} no-password",
+                database_url_args="sslmode=verify_ca&ssl-ca=.%2Ftests%2Fcerts%2Fca.crt&ssl-key=.%2Ftests%2Fkeys%2Fclient.key&ssl-cert=.%2Ftests%2Fcerts%2Fclient.crt",
+                service=f"mysql_{version}",
+                tag=f"mysql_{version}_no_password" if runtime == "async-std" else f"mysql_{version}_no_password_{runtime}",
+            )
+
         #
         # mariadb
         #
@@ -182,6 +182,16 @@ def run(command, comment=None, env=None, service=None, tag=None, args=None, data
                 tag=f"mariadb_{version}" if runtime == "async-std" else f"mariadb_{version}_{runtime}",
             )
 
+        ## +client-ssl
+        for version in ["10_6_client_ssl", "10_5_client_ssl", "10_4_client_ssl", "10_3_client_ssl", "10_2_client_ssl"]:
+            run(
+                f"cargo test --no-default-features --features macros,offline,any,all-types,mysql,runtime-{runtime}-{tls}",
+                comment=f"test mariadb {version} no-password",
+                database_url_args="sslmode=verify_ca&ssl-ca=.%2Ftests%2Fcerts%2Fca.crt&ssl-key=.%2Ftests%2Fkeys%2Fclient.key&ssl-cert=.%2Ftests%2Fcerts%2Fclient.crt",
+                service=f"mariadb_{version}",
+                tag=f"mariadb_{version}_no_password" if runtime == "async-std" else f"mariadb_{version}_no_password_{runtime}",
+            )
+
         #
         # mssql
         #